Page 1 of 1

OVPN traffic stops (Solved)

Posted: Sat Apr 03, 2010 12:47 am
by tagno25
I have set up a OVPN client and serer. I have it working how I want to, but after a shor period of time the connection stops passing any traffic. To get the connection back I have to disable and then enable the OVPN-client connection.

Server:
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
    use-compression=default use-encryption=default use-vj-compression=default
add change-tcp-mss=default comment="" idle-timeout=30m local-address=\
    192.168.4.1 name=OVPN only-one=no rate-limit=20M/20M remote-address=\
    ovpn-pool use-compression=default use-encryption=required \
    use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
    only-one=default use-compression=default use-encryption=yes \
    use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
    name=xxxxxxx password=xxxxxxx profile=OVPN routes="" service=ovpn
/interface ovpn-server
add comment="" disabled=no name=ovpn-in1 user=xxxxxxx
/interface ovpn-server server
set auth=sha1,md5 certificate=cert1 cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=OVPN enabled=yes keepalive-timeout=disabled mac-address=\
    FE:B8:0B:2F:47:AE max-mtu=1500 mode=ip netmask=29 port=443 \
    require-client-certificate=no
/ip pool
add name=ovpn-pool ranges=192.168.4.2-192.168.4.50
Client:
/interface ovpn-client
add add-default-route=yes auth=md5 certificate=none cipher=blowfish128 comment="" connect-to=xxx.xxx.xxx.26 disabled=no mac-address=0B:FF:96:21:DF:D4 \
    max-mtu=1500 mode=ip name=ovpn-out1 password=xxxxxxx port=443 profile=default user=xxxxxxx
/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=2 disabled=no host-name=no.host interface=ether1
Edit:
The OVPN server needs the CA certificate to be present. I put the CA certificate on the server and the problem seems to be fixed.


Edit 2:
It only stayed up for ~1 hour. It returned back to dying after ~2 minuets after the OVPN client is started.

Re: OVPN traffic stops

Posted: Sun Apr 04, 2010 1:56 am
by tagno25
Here is some log info from when the OVPN drops. I have a ping going across the link from both sides when this happens.

Log on server:
17:46:03 ovpn,info ovpn-xxxxxxx: terminating... - nothing received for a while 
17:46:03 ovpn,info ovpn-xxxxxxx: disconnected 
17:46:10 ovpn,info TCP connection established from xxx.xxx.xxx.28 
17:46:10 ovpn,info <ovpn-0>: dialing... 
17:46:21 ovpn,info <ovpn-0>: using encoding - AES-256-CBC/MD5 
17:46:24 ovpn,info ovpn-xxxxxxx: connected 
17:46:24 ovpn,info,account xxxxxxx logged in, 192.168.4.48 
17:49:07 ovpn,info,account xxxxxxx logged out, 162 8116 6496 127 124 
17:49:07 ovpn,info ovpn-xxxxxxx: terminating... - nothing received for a while 
17:49:07 ovpn,info ovpn-xxxxxxx: disconnected 
17:49:18 ovpn,info TCP connection established from xxx.xxx.xxx.28 
17:49:18 ovpn,info <ovpn-0>: dialing... 
17:49:39 ovpn,info <ovpn-0>: using encoding - AES-256-CBC/MD5 
17:49:40 ovpn,info ovpn-xxxxxxx: connected 
17:49:40 ovpn,info,account xxxxxxx logged in, 192.168.4.48 
Log on Client:
17:49:07 ovpn,debug ovpn-out1: disconnected <nothing received for a while> 
17:49:07 ovpn,info ovpn-out1: terminating... - nothing received for a while 
17:49:07 ovpn,info ovpn-out1: disconnected 
17:49:17 ovpn,info ovpn-out1: initializing... 
17:49:17 ovpn,info ovpn-out1: dialing... 
17:49:40 ovpn,info ovpn-out1: using encoding - AES-256-CBC/MD5 
17:49:48 ovpn,info ovpn-out1: connected 
17:50:58 ovpn,debug ovpn-out1: disconnected <nothing received for a while> 
17:50:58 ovpn,info ovpn-out1: terminating... - nothing received for a while 
17:50:58 ovpn,info ovpn-out1: disconnected 
17:51:08 ovpn,info ovpn-out1: initializing... 
17:51:08 ovpn,info ovpn-out1: dialing... 
17:51:25 ovpn,info ovpn-out1: using encoding - AES-256-CBC/MD5 
17:51:26 ovpn,info ovpn-out1: connected 
Anyone have any suggestions or helpfully advice?

Re: OVPN traffic stops

Posted: Sun Apr 04, 2010 10:24 pm
by Sob
Turning on keepalive might help.

Re: OVPN traffic stops

Posted: Sun Apr 04, 2010 10:34 pm
by tagno25
Turning on keepalive might help.
I tried turning it on (I set it to 30), but it still does the same thing.

Re: OVPN traffic stops

Posted: Mon Apr 05, 2010 11:52 pm
by XTLMeth
I have had this problem for a while and even posted on this forum. Nobody cared. Everyone clames they have openvpn running without issues. In my case I have to reboot my routerboard about every 24 days to get it to work again.

Re: OVPN traffic stops

Posted: Tue Apr 06, 2010 12:36 am
by tagno25
Now the log shows "peer disconnected" on both sides

Client:
16:31:17 ovpn,debug ovpn-out1: disconnected <peer disconnected> 
16:31:17 ovpn,info ovpn-out1: terminating... - peer disconnected 
Server:
16:34:48 ovpn,info ovpn-xxxxxxx: terminating... - peer disconnected 
16:34:48 ovpn,info ovpn-xxxxxxx: disconnected 

Re: OVPN traffic stops

Posted: Wed Apr 07, 2010 5:28 am
by XTLMeth
I have seen the exact same behavior. The sad part is this issue won't have any priority as I have said before that everyone else seems to think that they have openvpn running without any issues. I have tried several different configs and have not been successful. I use pptp connections and they stay up for months without a single glitch so for less secure situations I use pptp.

Re: OVPN traffic stops

Posted: Wed Apr 07, 2010 6:34 am
by tagno25
I have seen the exact same behavior. The sad part is this issue won't have any priority as I have said before that everyone else seems to think that they have openvpn running without any issues. I have tried several different configs and have not been successful. I use pptp connections and they stay up for months without a single glitch so for less secure situations I use pptp.
I would use PPTP, but all traffic except port 80, 443, and a few others have been blocked (and port 80 is filtered). That make me have to use a connection on port 443. I have been using a SSH tunnel, but I would like to use VPN on a router for simpler setup.

I switched to easy-RSA for the certificate, but that still didn't help. I will try using a linux server next.

Re: OVPN traffic stops

Posted: Wed Apr 07, 2010 6:27 pm
by tagno25
I think I found out what the problem was.

When I checked "Add Default Gateway" on the ovpn client, all traffic wanted to go through it, even the ovpn session. :shock:

I had to add a static route for the VPN connection IP to the route list to force that IP to go through the correct gateway. It would be nice if that was done automatically (especially since this is for mobile use). I made a simple script for the netwatch tool.
/tool netwatch
add comment="" disabled=no down-script=":log info \"!!!osvpn down!!!\";\r\
    \n:log info \"---Changing gateway for OVPN server---\";\r\
    \n\r\
    \n#Change IPs to be correct\r\
    \n/ip route set [/ip route find dst-address=\"xxx.xxx.xxx.xxx/32\"] gateway=[/ip dhcp-client get ether1 \
    gateway]\r\
    \n\r\
    \n:log info \"------------\";" host=192.168.4.1 interval=30s timeout=1s up-script=\
    ":log info \"!!!osvpn up!!!\";\r\
    \n"
I know it would be better if I checked the current value to see if I was needed to change it, bu I wanted it to be simple (and quick to type/create).

Re: OVPN traffic stops (Solved)

Posted: Thu Apr 08, 2010 1:08 am
by XTLMeth
In my case I'm doing a point to point with a /30 and I don't use the set default route option. My client side is a mikrotik server and my server side is a linux openvpn server. I have other windows clients connected to the same linux server for months but the mikrotik client router stops passing traffic after 24 days and I don't know why. There is nothing in the logs and if I disable and re-enable everything stays the same. When I reboot the router everything is fine again.